[openstack-announce] [OSSN-0086] erratum: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure

Brian Rosmaita rosmaita.fossdev at gmail.com
Thu Jun 18 21:19:36 UTC 2020


As you may recall, the fix for this issue required patches for both 
Cinder and the os-brick library.

The original patch for os-brick contained a flaw [0] that prevented the 
scaleio connector from operating when run under Python 2.7.  Thus for 
OpenStack releases supporting Python 2.7 (that is, Train and earlier), a 
second os-brick patch is required and is listed below.  (The Cinder and 
first os-brick patch are unchanged, but are listed below for completeness).

[0] https://bugs.launchpad.net/os-brick/+bug/1883654


#### Patches ####

Queens
* cinder: https://review.opendev.org/733110
* os-brick: https://review.opendev.org/733104
             and https://review.opendev.org/736749

Rocky
* cinder: https://review.opendev.org/733109
* os-brick: https://review.opendev.org/733103
             and https://review.opendev.org/736415

Stein
* cinder: https://review.opendev.org/733108
* os-brick: https://review.opendev.org/733102
             and https://review.opendev.org/736395

Train
* cinder: https://review.opendev.org/733107
* os-brick: https://review.opendev.org/733100
             and https://review.opendev.org/735989

Updated releases of os-brick incorporating the second patch are now 
available:
Stein: os-brick 2.8.6
Train: os-brick 2.10.4

Point releases of cinder for Stein and Train will be made as soon as 
possible.  These will be:
Stein: cinder 14.1.1, requires os-brick 2.8.6
Train: cinder 15.2.1, requires os-brick 2.10.4


### Contacts / References ###
Author: Brian Rosmaita, Red Hat
OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0086
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1823200
Mailing List : [Security] tag on openstack-discuss at lists.openstack.org
OpenStack Security Project : https://launchpad.net/~openstack-ossg
CVE: CVE-2020-10755



More information about the OpenStack-announce mailing list